CVE-2008-3611

Apple Mac OS X 10.4.11 - Auth Bypass

Title source: llm

Description

Login Window in Apple Mac OS X 10.4.11 does not clear the current password when a user makes a password-change attempt that is denied by policy, which allows opportunistic, physically proximate attackers to bypass authentication and change this user's password by later entering an acceptable new password on the same login screen.

References (7)

[Mailing List] http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html

[Vendor Advisory] http://secunia.com/advisories/31882

[Patch] http://www.securityfocus.com/bid/31189

[US Government Resource] http://www.us-cert.gov/cas/techalerts/TA08-260A.html

[Vendor Advisory] http://www.vupen.com/english/advisories/2008/2584

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/45171

[Third Party Advisory, VDB Entry] http://securitytracker.com/id?1020878

Scores

EPSS 0.0006

EPSS Percentile 17.0%

Classification

CWE

CWE-287

Status draft

Affected Products (2)

apple/mac_os_x

apple/mac_os_x_server

Timeline

Published Sep 16, 2008

Tracked Since Feb 18, 2026